not rely on a cookie
Right, I understand this, but there is conflicting info about this in the Auth0 docs. There is documentation that specifically mentions the use of cookies in certain circumstances, such as when you are running your own back end, or when the back end is on the same domain as your SPA, etc.
The reason I ask is because I am trying to authenticate calls for binary data that are made with <img> tags using their src attributes, which cannot attach an authentication token to their headers. I brought this up in another topic (Correct way to make authenticated calls for binary data in image tags - #6 by mathiasconradt), and one suggestion is to load the binary data directly into the src attribute, but this is still not ideal because it requires additional complexity as well as forcing workarounds should the user, for instance, want to link the image (e.g., to another user who is also authorized to view it), among other potential lurking issues. It also appears to preclude the possibility of loading non-image binary data via authenticated requests, such as video and audio.
IMO this seems like an oversight on the part of Auth0. It may be an infrequent use case, but surely the need to authenticate requests for data loaded via HTML elements is something that should have a defined solution and path, rather than resorting to hacky workarounds?